change encryption to sse-s3

terraform-modules · Nov 1, 2022 · 9b384d1 · 9b384d1
1 parent d29f5ad
commit 9b384d1
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 6 deletions.
diff --git a/s3-flow-logs/README.md b/s3-flow-logs/README.md
@@ -81,6 +81,7 @@ No modules.
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_versioning_configuration"></a> [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |
 
 ## Outputs
 

diff --git a/s3-flow-logs/kms.tf.off b/s3-flow-logs/kms.tf.off
@@ -0,0 +1,19 @@
+resource "aws_kms_key" "key" {
+  description         = "KMS CMK for flowlogs"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    {
+      "boc:aws:region" = local.region
+      Name             = local.name
+    },
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = aws_kms_key.key.key_id
+}
diff --git a/s3-flow-logs/main.tf b/s3-flow-logs/main.tf
@@ -42,10 +42,11 @@
 
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
-  flowlogs_region     = data.aws_region.current.name
+  regions             = [for r in tolist(data.aws_regions.current.names) : r if startswith(r, "us-")]
+  region              = data.aws_region.current.name
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
-  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.flowlogs_region)
+  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.region)
 
   base_tags = {
     "Organization"          = "census:aditcio:csvd"
@@ -112,7 +113,7 @@ resource "null_resource" "policy_delay" {
 resource "aws_s3_bucket_ownership_controls" "flowlogs" {
   bucket = aws_s3_bucket.flowlogs.id
   rule {
-    object_ownership = "BucketOwnerEnforced"
+    object_ownership = "BucketOwnerPreferred"
   }
 }
 
@@ -127,19 +128,22 @@ resource "aws_s3_bucket_acl" "flowlogs" {
 ##   target_prefix = format("%s/%s/", var.access_log_bucket_prefix, local.bucket_name)
 ## }
 
+# see docs: https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "flowlogs" {
   bucket = aws_s3_bucket.flowlogs.id
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      #      sse_algorithm = "aws:kms"
+      sse_algorithm = "AES256"
     }
+    bucket_key_enabled = true
   }
 }
 
 resource "aws_s3_bucket_versioning" "flowlogs" {
   bucket = aws_s3_bucket.flowlogs.id
   versioning_configuration {
-    status = "Disabled"
+    status = var.versioning_configuration
   }
 }
diff --git a/s3-flow-logs/policy_data.tf b/s3-flow-logs/policy_data.tf
@@ -7,12 +7,23 @@ data "aws_iam_policy_document" "flowlogs_s3" {
       type        = "Service"
       identifiers = ["delivery.logs.amazonaws.com"]
     }
-    resources = ["${aws_s3_bucket.flowlogs.arn}/*"]
+    resources = [format("%v/*", aws_s3_bucket.flowlogs.arn)]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"
       values   = ["bucket-owner-full-control"]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.account_id]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      #      values   = [for r in local.regions : format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, r, local.account_id)]
+      values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.region, local.account_id)]
+    }
   }
   statement {
     sid     = "AWSLogDeliveryAclCheck"
@@ -23,5 +34,16 @@ data "aws_iam_policy_document" "flowlogs_s3" {
       identifiers = ["delivery.logs.amazonaws.com"]
     }
     resources = [aws_s3_bucket.flowlogs.arn]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.account_id]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      #      values   = [for r in local.regions : format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, r, local.account_id)]
+      values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.region, local.account_id)]
+    }
   }
 }
diff --git a/s3-flow-logs/variables.tf b/s3-flow-logs/variables.tf
@@ -18,3 +18,9 @@ variable "component_tags" {
   type        = map(map(string))
   default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
 }
+
+variable "versioning_configuration" {
+  description = "S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new"
+  type        = string
+  default     = "Disabled"
+}